We all know we should be using SSL whenever we collect passwords or other sensitive information. SSL provides two main benefits:

Encryption: The data can't be read by a middle-man while in transit.

Protection against MITM attacks: A man in the middle can't pretend to be a server, since they can't produce a CA-signed certificate for the server.

If I'm downloading an application, I'm probably going to run it at some point, maybe even as root. Some programs will be signed, but many aren't. Shouldn't downloads be done over SSL so that I know that it hasn't been tampered with during transit?

If somebody steals my password, that's bad. But if somebody plants a keylogger on my computer, that's way, way worse.

Actually, there are three main benefits: confidentiality, integrity, and authenticity. I.e. encryption, hashing, and authentication. Though in this case I assume you are more focused on the 2nd and 3rd...
–
AviD♦Aug 19 '12 at 10:18

4

The data can't be read by a middle-man while in transit does not apply in application download scenario. If I know you're visiting mozilla's website and you're downloading a large amount of data, it is almost certain without even looking at your data stream that you must be downloading the latest version of Firefox, and I can just go to Mozilla instead of having to decrypt your data stream. So serving application downloads over HTTPS only really protects against MITM.
–
Lie RyanAug 19 '12 at 12:28

1

@LieRyan, which is what I said. "SSL provides two main benefits" was more of an overview of SSL than it was a list of benefits for downloaded files.
–
Tom MarthenalAug 19 '12 at 21:26

@Lie Ryan: Traffic analysis will give you hints on what is likely to be in transit - but knowing that I'm probably downloading a Firefox binary is much less useful than knowing that I'm downloading a Firefox binary of version Foo, UI language Bar, architecture Baz for OS Quux - not all builds are created equal ;) Moreover, some OSes have repositories hosting many apps - I have a connection open to https://repository.example.com/, hosting packages for a distribution; now what am I downloading?
–
PiskvorAug 21 '12 at 9:31

4 Answers
4

Because HTTPS is not very well suited to securing downloads of large public files. For this use case, it's slow and not that useful. There are reasons for not using HTTPS well beyond incompetence or unawareness.

HTTPS requires more resources on the server. Google mail got it down to a 1% overhead and a 2% bandwidth overhead, but this is for a very different use case. The Gmail frontend servers do more than mindlessly serve files; a file server doesn't need a powerful CPU in the first place (it's very strongly IO-bound), so the overhead is likely to be significantly larger. The same goes for memory overhead: a file server needs very little memory per session in the first place, almost all of its memory is a disk cache. Getting the resource usage down requires a serious amount of work.

HTTPS uses more bandwidth. The overhead per download is minimal if you don't take caching into account. This is the spherical cow of “HTTPS doesn't cost more”: if you use SSL, you can't cache data. Application downloads are cachable in the extreme: they're large files that many people download.

HTTPS is overkill. The confidentiality of an application download is rarely an issue, all we need is authenticity. Sadly, HTTPS doesn't provide authenticity without also providing confidentiality. Authenticity is compatible with caching, but confidentiality isn't.

HTTPS wouldn't help many people. The security-conscious will check the SHA1 provided by the vendor (that should be over HTTPS). The non-security-conscious will blithely click through the “this connection is insecure” message (there are so many badly configured servers out there that many users are trained to ignore HTTPS errors). And that's not to mention dodgy CAs who grant certificates that they shouldn't.

HTTPS doesn't even fully solve the problem. If you're getting your application straight from the vendor's website, HTTPS does ensure the authenticity of the application. But if you're getting your application from a third party (e.g. mirrors of free software), HTTPS only protects the connection with the third party. A package signature scheme works better: it can protect the whole chain from the vendor.

If you want to make sure that you're getting the genuine application, check its signature, or check its hash against a reference value that you obtain with a signature (for example over HTTPS).

I asked my old employer why we were forcing HTTPS for everything and their reply was "Because we have an extended validation cert and people respect the color it turns their browser bar" .. my desk almost broke when my head hit it. This is a very useful answer that I hope helps to dispel some of that 'mythical' thinking.
–
Tim Post♦Aug 19 '12 at 3:57

It's the same reason as why not all login prompts are using https yet: people are too lazy, think a certificate is too expensive, or have hosting that charges more for using https.

The real question is why downloads are served over a plain connection more often than login forms. And I think this is mostly because of unawareness. Checksums are often provided, but they are not secure if sent over http. One good implementation of checksums I've seen is where they were posted to Twitter (which uses https, and can be reasonably assumed to be uncompromised). However I don't know anyone who ever checks the checksum, perhaps only if the software doesn't run. Usually TCP is assumed to do reasonable error checking.

Of course, https is heavier on the server than http. For high-traffic websites this may be a reason. But then again, high-traffic websites can also generate 'high-money' to finance it.

I check checksums, I don't mind http mirror, if the checksum itself is secure so I can check it against. I would add that all the major package managers on linux do signing and.or checksum checks.
–
ewanm89Aug 18 '12 at 23:05

Assuming you're MITM'd you can't trust any connection without TLS and a verified signature. That includes twitter.
–
GantJul 25 '13 at 17:59

@DamonGant What do you mean "that includes twitter"? Manually going to twitter.com in a private navigation window (no cookies or other cache) automatically redirects me to https (which is TLS, as I guess you know). And the browser checks the certificate's signature. So I don't understand what you mean.
–
LucJul 26 '13 at 0:10

@DamonGant Oh of course, ssl is broken when you don't either type https:// or verify that it's secure (padlock). Still, I think Twitter can be assumed to be a reasonably secure way of distributing checksums. And if you're smart enough to run checksums, you're probably also smart enough to make sure your connection to Twitter is secure.
–
LucJul 29 '13 at 19:14

Arguably, when users download an application over the web, the application download should be over HTTPS, because it is the cleanest user experience for users that provides security that they can comprehend. It is arguably realistic to expect many users to check for a green glow in the address bar before they download, but it is not reasonable to (for instance) expect them to compute hashes and check them securely.

However, these application downloads often aren't offered over HTTPS, for a variety of possible reasons:

Good reasons: HTTPS prevents caching in the network. This may increase network traffic, load on the server, and load on the client-side network.

Bad reasons: People have a mistaken belief that "HTTPS is slow" (which is a myth), because it takes extra work to set up a server with SSL, because they rely upon mirrors and the mirror sites don't use HTTPS, or because people haven't thought of it or don't think they are at risk. For widely-used software, these beliefs are probably short-sighted. Apparently, also some sites may use load-balancers or accelerators that are brain-dead and don't understand HTTPS properly, and they don't want to or can't afford to engineer a proper deployment that can speak HTTPS properly.

The biggest problem usually is that servers in big deployments sit behind braindead accelerators that reverse proxy all requests. Deploying SSL in such distributed environment is either impossible, very hard or cuts performance by wide margin (because SSL can't be properly set up or is, simply, broken)
–
Hubert KarioAug 19 '12 at 1:29

3

HTTPS is a bandwidth hog compared to HTTP because it renders proxies unable to cache. When you, for example, have 300 machines that need a major Firefox upgrade, that makes a huge difference. The right solution is to use HTTP but to verify the application's checksum or signature.
–
David SchwartzAug 19 '12 at 5:38

4

@DavidSchwartz "The right solution is to use HTTP but to verify the application's checksum or signature." The right solution would be a protocol for secure public downloads (with a new URL scheme).
–
curiousguyAug 19 '12 at 8:07

@D.W.: AFAICT, most Linux package manager uses cryptography to sign the package and for authenticating the servers and the checksum, but I've never heard any that encrypt the packages itself, that would be just a wasteful use of resources without additional security. Also, your article does not apply for application downloads; the workload characteristic of a mail server or a web server is very different from a file server. In application download scenario, everyone is downloading the same files, unlike in a mail server where everyone are served different contents.
–
Lie RyanAug 19 '12 at 12:20

2

@DavidSchwartz, great point! Thank you. I've updated my answer with your observation. Sounds like one clean solution to that is to make a small downloader program available over HTTPS; when the user runs it, it performs the secure download and checks the checksums. (I don't think it is reasonable to expect users to verify checksums or signatures manually; you need to make it automatic.)
–
D.W.Aug 19 '12 at 16:30

Most of the time there will be MD5sums and SHA1 sums for the application. After you download it you need to check this to the one that is displayed on the website. If the one you calculated is the same, then there is no problem.

@Luc: precisely--this is the same reason a login page must be in HTTPS and not just the page/controller that processes a login request. If I'm accessing the download page over regular HTTP, then an attacker can simply swap out the checksum for one of their own.
–
Tom MarthenalAug 18 '12 at 22:44

I suppose you were looking at the page in https and the download being done over plain http.
–
Lucas KauffmanAug 18 '12 at 22:44

1

"After you download it you need to check this to the one that is displayed on the website." which is OK if 1) the integrity information is downloaded via a secure protocol, so tempering is impossible 2) the checking step is fully automated, so you don't get a chance to forget (or take the easy way out). IOW, if a sane package manager handles that.
–
curiousguyAug 18 '12 at 23:55

1

HTTP+Checksum or signature may be the right solution for a specialized protocol, such as an updater or a packet manager, but not for downloads from the browser. Usability is simply too bad. You can't expect that a normal user manually verifies the checksum.
–
CodesInChaosAug 19 '12 at 7:46